Montgomery transform device, arithmetic device, IC card, encryption device, decryption device and program

ABSTRACT

According to an aspect of the invention, Montgomery arithmetic can be achieved while omitting division in an input stage. That is, the aspect of the invention is configured to obtain a Montgomery transform result m′ (=mR mod p) of n-bit from an input m of 2n-bit without using the division, with using Montgomery reduction and Montgomery multiplication instead of conventional mod arithmetic and the Montgomery transform. Accordingly, Montgomery arithmetic can be achieved while omitting the division in the input stage.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is based upon and claims the benefit of priority fromprior Japanese Patent Application No. 2004-336047, filed Nov. 19, 2004,the entire contents of which are incorporated herein by reference.

BACKGROUND OF THE INVENTION

The present invention relates to a Montgomery transform device, anarithmetic device, an IC card, an encryption device, a decryption deviceand a program which are small-sized and capable of being incorporated inan IC card (smart card).

A public key encryption system is one of the most important techniquesamong encryption techniques. An encryption system, for example,Rivest-Shamir-Adleman (RSA) encryption, a digital signature algorithm(DSA) signature and the like have been widely used. In recent years, apublic key encryption system has become able to execute the RSAsignature on the IC card; then, the application field of security hasspread. However, a usual IC card has a CPU with a low performance, sothat a single CPU requires too much time for performing signatureprocessing. Therefore, an IC card for encryption additively has anarithmetic device referred to as an encryption accelerator or acoprocessor so as to reduce the time necessary for the signatureprocessing.

A leading public key encryption system is composed of arithmeticcalculation on a finite field. An arithmetic object is, for example, amulti-precision integer of 1,024 bits, etc. Here, many arithmetictechniques to make the encryption accelerator miniaturize and acceleratehave been developed. An especially important arithmetic technique is asystem using the Chinese remainder theorem (CRT) and Montgomeryreduction. CRT and Montgomery reduction are described in detail by, forexample, A. J. Menezes, P. C. van Oorshot, and S. A. Vanstone, “Handbookof applied cryptography”, CRC Press, section 14, etc., (1997).

CRT can execute calculation on a subfield and reduce calculation time bysupposing that factorization for a modulus has been already known. Inthe case of the RSA encryption, since it is assumed that a modulus n canbe factorized into two prime numbers p and q, so that a calculationresult of mod n (=mod pq) can be calculated on the basis of calculationresults of mod p and mod q. In this case, since a whole of intermediatecalculation can be done by an extent of almost a half number of digits,a calculation amount is reduced.

Montgomery reduction can calculate a reminder necessary for calculationon the finite filed only by multiplication without division. Generally,division is less advantageous than multiplication in points of a circuitsize and an arithmetic speed. Montgomery reduction does not use thedivision, thereby, advantageous in miniaturization and speeding up. Analgorithm in the division calculates a partial quotient when obtaining areminder. If calculation efficiency for the partial quotient is tried tobe enhanced, an error is generated and trial and error such as are-addition and a re-subtraction are required. This is the reason whythe division is disadvantageous.

Both CRT and Montgomery reduction are techniques useful for increasingefficiency and separated with each other, so that it is possible forboth CRT and Montgomery reduction can be combined together.

FIG. 1 is a schematic diagram showing a logical configuration tocalculate a power reminder by using CRT and Montgomery reduction. Thecalculation for the power reminder is defined as a content to execute aninput m to the d-th power under a modulus pq. In an arithmetic device,mod (reminder calculation) arithmetic units 1 and 2 calculate remindersm_(p) (=m mod p) and m_(q) (=m mod q) for an input m of 2n-bit and apower exponent d and obtain reminders m_(p) and m_(q) of n-bit,respectively.

Next, for Montgomery transform units 3 and 4 perform the Montgomerytransform of the reminders m_(p) and m_(q), preparatory for usingMontgomery arithmetic and obtain transform results m_(p)′ (=m×R_(p) modp) and m_(q)′ (=m×R_(q) mod q), respectively.

At this time, the R_(p) and the R_(q) are constants calculated inadvance. The constant R_(p) is the power of 2 larger than the primenumber p and a value to make a bit shift instead of the division duringMontgomery reduction. In similarity, the constant R_(q) is the power of2 larger than the prime number q.

Next, Montgomery power units 5 and 6 calculate power reminders usingMontgomery reduction to the transform results m_(p)′ and m_(q)′,respectively, and obtain power reminders s_(p)′ (=m_(p)′ˆd_(p)×R_(q) modp) and S_(q)′ (=m_(q)′ˆd_(q)×R_(q) mod q), respectively. However,d_(p)=d mod (p−1) and d_(q)=d mod (q−1). The power exponents d_(p) andd_(q) are assumed that they are calculated in advance. A symbol ˆindicates the power.

Since the power reminders s_(p)′ and S_(q)′ are values on the Montgomeryspace, they should be returned to values on the finite field.Consequently, Montgomery inverse transform units 7 and 8 perform theMontgomery inverse transform to the power reminders s_(p)′ and S_(q)′and obtain power reminders s_(p) (=s mod p) and s_(q) (=s mod q) on thefinite field, respectively.

After this, a CRT arithmetic unit 9 solves simultaneous equations of thes_(p) (=s mod p) and the s_(q) (=s mod q) of n-bit on the basis of CRTand obtains s=s mod pq as a solve s of 2n-bit. This solve s has become apower reminder s=m^(d) mod pq of a final result.

Power reminder calculation has just completed as mentioned above. Inpractice, the prime numbers p and q are set to around 512 bits and theinput m is set to around 1,024 bits to assure security.

However, such an arithmetic device described above requires remindercalculation (mod arithmetic) for reducing the number of bits in an inputstage so as to combine CRT and Montgomery arithmetic.

The reason of the necessity of the reminder calculation is consideredthat the Montgomery transform units 3 and 4 accept the inputs m_(p) andm_(q) of n-bit but do not accept the input m of 2n-bit. However, thereminder calculation requires the division to obtain a reminder. Asstated above, the division is disadvantageous in the points of thecircuit size and the arithmetic speed.

BRIEF SUMMARY OF THE INVENTION

An object of the invention is to provide a Montgomery transform deviceand a program for achieving Montgomery arithmetic while omittingdivision in an input stage.

Another object of the invention is to provide an arithmetic device, anIC card, an encryption device, a decryption device and a program, whichcan execute power remainder calculation with CRT and Montgomeryarithmetic are combined therein while omitting the division in the inputstage.

According to a first aspect of the present invention, there is provideda Montgomery transform device for obtaining a Montgomery transformresult m′ (=mR mod p) of n-bit from an input m of 2n-bit on the basis ofa multiplier R not less than n-bit and a modulus p of n-bit, comprising:a Montgomery reduction device configured to execute the Montgomeryreduction composed of multiplication, addition and a bit shift to theinput m of 2n-bit on the basis of the modulus p and the multiplier R andobtain a Montgomery reduction result (mR⁻¹ mod p) of n-bit; and aMontgomery multiplication device configured to execute the Montgomerymultiplication of the Montgomery reduction result (mR⁻¹ mod p) by thecube of the multiplier R (R³ mod p) on the basis of the multiplier R andthe modulus p and output the obtained Montgomery multiplication result(mR mod p) of n-bit as the m′ (=mR mod p).

According to a second aspect of the present invention, there is providedan arithmetic device for calculating the d-th power under a modulus pqto an input m of 2n-bit on the basis of multipliers R_(p) and R_(q) notless than n-bit, moduli p and q of n-bit and a power exponent d of n-bitto obtain a power reminder s (=m^(d) mod pq) of n-bit, comprising: afirst Montgomery reduction device configured to execute the Montgomeryreduction composed of multiplication, addition and a shift to the inputm of 2n-bit on the basis of the multiplier R_(p) and the modulus p andobtain a first Montgomery reduction result (mR_(p) ⁻¹ mod p) of n-bit;and a first Montgomery multiplication device configured to execute theMontgomery multiplication of the first Montgomery reduction result bythe cube of the multiplier R_(p) (R_(p) ³ mod p) on the basis of themultiplier R_(p) and the modulus p and obtain a first Montgomerymultiplication result m_(p)′ (=mR_(p) mod p); a first Montgomery powerdevice configured to perform the d_(p)-th power of the first Montgomerymultiplication result m_(p)′ [however, d_(p)=d mod (p−1)] on the basisof the power exponent d, the multiplier R_(p) and the modulus p andobtain a first power reminder s_(p)′ (=m_(p)′ˆd_(p)×R_(p) mod p) ofn-bit; a first Montgomery inverse transform device configured to executethe Montgomery inverse transform to the first power reminder s_(p)′ onthe basis of the multiplier R_(p) and the modulus p and obtain a firstMontgomery inverse transform result s_(p) (=m^(d) mod p) of n-bit; asecond Montgomery reduction device configured to execute the Montgomeryreduction to the input m on the basis of the multiplier R_(q) and themodulus q and obtain a second Montgomery reduction result (mR_(q) ⁻¹ modq) of n-bit; a second Montgomery multiplication device configured toexecute the Montgomery multiplication of the second Montgomery reductionresult by the cube of the multiplier R_(q) (R_(q) ³ mod q) on the basisof the multiplier R_(q), and the modulus q and obtain a secondMontgomery multiplication result m_(q)′ (=mR_(q) mod q) of n-bit; asecond Montgomery power device configured to perform the d_(q)-th powerof the second Montgomery multiplication result m_(q)′ of n-bit [however,d_(q)=d mod (q−1)] on the basis of the power exponent d, the multiplierR_(q) and the modulus q and obtain a second power reminder s_(q)′(=m_(q)′ˆd_(q)×R_(q) mod q) of n-bit; a second Montgomery inversetransform device configured to execute the Montgomery inverse transformto the second power reminder s_(q)′ on the basis of the multiplier R_(q)and the modulus q and obtain a second Montgomery inverse transformresult s_(q) (=m^(d) mod q) of n-bit; and a simultaneous equationssolution device configured to solve simultaneous equations of the firstMontgomery inverse transform result S_(p) and the second Montgomeryinverse transform result s_(q) on the basis of the moduli p, q and theChinese remainder theorem (CRT) and output the obtained solution (m^(d)mod pq) of n-bit as the power reminder s.

The arithmetic device in the second aspect of the invention may bemounted on an arbitrary device such as the IC card, the encryptiondevice and the decryption device and used for power arithmetic.

The first aspect of the invention is configured to obtain a Montgomerytransform result of n-bit from an input m of 2n-bit by Montgomeryreduction and Montgomery multiplication composed of multiplication,addition and a bit shift instead of conventional mod arithmetic andMontgomery multiplication and nor using the division. Consequently, thefirst aspect can achieve Montgomery arithmetic while omitting thedivision in the input stage.

In similarity, the second aspect has the configuration of the firstaspect in an input stage of power reminder calculation using CRT,thereby, power reminder calculation with CRT and Montgomery arithmeticare combined therein can be executed while omitting the division in theinput stage.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING

FIG. 1 is a schematic diagram showing a logical configuration of aconventional arithmetic device;

FIG. 2 is a schematic diagram showing a configuration of a Montgomerytransform device regarding a first embodiment of the invention;

FIG. 3 is a schematic diagram for explaining arithmetic using amultiplier R in the first embodiment;

FIG. 4 is a schematic diagram for explaining a general Montgomerymultiplication function;

FIG. 5 is a schematic diagram showing a configuration of the generalMontgomery multiplication function;

FIG. 6 is a schematic diagram for explaining the conventional Montgomerytransform;

FIGS. 7 and 8 are schematic diagrams showing configurations of theconventional Montgomery transform;

FIG. 9 is a schematic diagram showing a configuration of an arithmeticdevice regarding a second embodiment of the invention;

FIG. 10 is a schematic diagram showing a configuration of a Montgomeryreduction unit in the second embodiment;

FIG. 11 is a schematic diagram for explaining a general Montgomery powerfunction;

FIG. 12 is a schematic diagram showing a configuration of a Montgomerypower unit in the second embodiment;

FIG. 13 is a schematic diagram for explaining a general Montgomeryinverse transform function;

FIG. 14 is a schematic diagram showing a configuration of a Montgomeryinverse transform unit regarding the second embodiment;

FIG. 15 is a schematic diagram showing a configuration of a generalMontgomery inverse transform function;

FIG. 16 is a schematic diagram for explaining a general CRT arithmeticfunction;

FIG. 17 is a schematic diagram showing a configuration of a CRTarithmetic unit in the second embodiment;

FIG. 18 is a schematic diagram showing a configuration of an IC cardregarding a third embodiment of the invention;

FIG. 19 is a schematic diagram showing a configuration of an encryptionaccelerator regarding the third embodiment;

FIG. 20 is a schematic diagram showing a configuration regarding aseventh embodiment of the invention; and

FIG. 21 is a schematic diagram showing a configuration regarding aneighth embodiment of the invention.

DETAILED DESCRIPTION OF THE INVENTION

Hereinafter, each embodiment of the invention will be explained byreferring to the drawings.

FIRST EMBODIMENT

FIG. 2 is the schematic diagram showing the configuration of theMontgomery transform device regarding the first embodiment of theinvention, the same parts as those of FIG. 1 are given the same symbols,the same parts will be omitted to be explained in detail, and differentparts will be mainly explained here. Similarly, the following respectiveembodiment will not be explained redundantly.

That is, the first embodiment has a Montgomery transform device 10 forobtaining a Montgomery transform result m′ (=mR mod p) of n-bit from aninput m of 2n-bit without using the division, contrary to a conventionalmod arithmetic unit 1 and a Montgomery transform unit 3.

The Montgomery transform device 10 can be realized by a hardwareconfiguration or even by a combination of a hardware configuration and asoftware configuration. In the latter case, the software configurationis achieved by installing a program acquired from a computer readablestorage medium M or a network into a computer of the Montgomerytransform device 10. This program is one to realize functions of aMontgomery reduction unit 11 and a Montgomery multiplication unit 12 bythe computer of the Montgomery transform device 10. Each device such asan arithmetic device 13, an IC card 20, an encryption device 20E and adecryption device 20D which will be described in the following eachembodiment can be similarly realized.

Where, the Montgomery transform device 10 has the Montgomery reductionunit 11 and the Montgomery multiplication unit 12.

The Montgomery reduction unit 11 calculates the Montgomery reduction ofthe input m of 2n-bit on the basis of a multiplier R not less than n-bitand a modulus p of n-bit and outputs the obtained Montgomery reductionresult (m×R⁻¹ mod p) of n-bit to the Montgomery multiplication unit 12.The Montgomery reduction is arithmetic which is composed ofmultiplication, addition and a bit shift and does not use division. TheMontgomery reduction is described, for example, in A. J. Menezes, P. C.van Oorshot, and S. A. Vanstone, “Handbook of applied cryptography”, CRCPress, section 14, etc., (1997) (hereinafter, referred to as “Handbookof applied cryptography”).

The multiplier R is a constant calculated in advance. The constant R isthe power of 2 larger than a prime number p and a value to use the bitshift instead of the division when the Montgomery reduction is used. Ifthe prime number p is a number of 512-bit, the constant is set to 2⁵¹².In the case that a byte shift or a word shift is more efficient than thebit shift, the constant R is selected as a multiple of the number ofbits of a byte or a word.

Arithmetic using the multiplier R is explained here in supplement. Whenthe multiplier R is 2^(n), as shown in FIG. 3, reminder calculation (modR) is sufficient to calculate a reminder at a n-bit in low order forarithmetic object data of 2n-bit, thereby, the arithmetic is performedeasily.

Division (multiplication by R⁻¹ or 1/R) needs to make a right shift onlyby n-bit so as to acquire a n-bit in high order for the arithmeticobject data of 2n-bit, so that the arithmetic is facilitated.

Multiplication (mR) needs to make a left shift only by n-bit to thearithmetic object data m, thereby, the arithmetic is easily performed.

The Montgomery multiplication unit 12 has a Montgomery multiplicationfunction executing the Montgomery multiplication of the Montgomeryreduction result from the Montgomery reduction unit 11 by the cube ofthe multiplier R (R³ mod p) on the basis of the multiplier R not lessthan n-bit and the modulus p of n-bit. The Montgomery multiplicationunit 12 outputs the obtained Montgomery multiplication result (m×R modp) of n-bit as the Montgomery multiplication result m′.

Where, the Montgomery multiplication function is a function 12 f forcalculating an output a×b×R⁻¹ of n-bit from two n-bit inputs a and b, asshown in FIG. 4. Specifically, for example, as shown in FIG. 5, theMontgomery multiplication function 12 f can be realized by aconfiguration composed of a normal multiplication function 12 f 1 tomultiply n-bit inputs a and b with each other and a Montgomery reductionfunction 12 f 2 to calculate the Montgomery reduction for amultiplication result a×b.

The cube of the multiplier R (R³ mod p) needs to be calculated, forexample, in advance. The cube of the multiplier R (R³ mod p) is by nomeans limited to this, it is sufficient that the cube of the multiplierR is calculated and stored in advance by calculating and storing thesquare of the multiplier R (R² mod p) to be processed by the Montgomerymultiplication.

In the case that the square of the multiplier R is needed to beseparately stored, a storage area can be saved in comparison with thecase that both the cube of the multiplier R (R³ mod p) and the square ofthe multiplier R (R² mod p) are required to be stored. However, in thecase that the square of the multiplier R is not needed to be storedseparately, both ways described above are sufficient for storing thecube of the multiplier R.

Each calculation of the Montgomery reduction and the Montgomerymultiplication is described, for example, the “Handbook of appliedcryptography” above mentioned.

Next, operations of the Montgomery transform device composed as statedabove will be explained. The conventional Montgomery transform unit 3is, as shown in FIG. 1, receives an input of n-bit. In contrast, theMontgomery transform device 10 in the first embodiment differs in apoint that it receives an input of 2n-bit. The operations aresequentially explained as follows.

The Montgomery transform device 10 performs the Montgomery transform forthe input m of 2n-bit by means of the Montgomery reduction unit 11. Atthis time, the Montgomery reduction unit 11 executes the Montgomeryreduction for the input m of 2n-bit on the basis of the multiplier R notless than n-bit and the modulus p of n-bit, and outputs the obtainedMontgomery reduction result (m×R⁻¹ mod p) of n-bit to the Montgomerymultiplication unit 12.

In continuance, the Montgomery transform device 10 performs theMontgomery multiplication of the Montgomery reduction result by themultiplier R³ mod p of n-bit is performed by means of the Montgomerymultiplication unit 12. At this time, the Montgomery multiplication unit12 executes the Montgomery multiplication of the Montgomery reductionresult by the cube of the multiplier R (R³ mod p), based on themultiplier R of not less that n-bit and the modulus p of n-bit andoutputs the Montgomery multiplication result (m×R mod p) of n-bit, as aMontgomery transform result m′.

Thereby, the Montgomery transform device 10 can obtain the Montgomerytransform result m′ (m×R mod p) of n-bit from the input m of 2n-bit.

According to the first embodiment as stated above, since theconfiguration obtain the Montgomery transform result of n-bit from theinput m of 2n-bit by using the Montgomery reduction and the Montgomerymultiplication without having to use division instead of using theconventional arithmetic and the Montgomery transform, the firstembodiment can achieve the Montgomery arithmetic while omitting division(mod arithmetic) in the input step.

As shown in FIG. 6, the conventional Montgomery transform inputs theinput m, the constant R and the modulus p of n-bit and outputs theMontgomery transform result m×R mod p. The conventional Montgomerytransform operates as shown in FIG. 7 or FIG. 8. The conventionalMontgomery transform shown in FIG. 7 performs direct calculation by aleft shift function to make a left shift of the input m and a modarithmetic function 3 f 2 to acquire a reminder under the modulus p ofthe input m which is made the left shift. A symbol r indicates thenumber of bits of the multiplier R. The conventional Montgomerytransform shown in FIG. 8 is calculated by a Montgomery multiplicationfunction 3 f 3 of the input m of n-bit by the square of the constant RR² mod p. The square of the constant R R² mod p is calculated inadvance.

In any event, the conventional Montgomery transform can treat onlyinputs of n-bit as shown in FIGS. 6 to 8, so that the conventionalMontgomery transform requires mod arithmetic unit 1 to reduce the bitnumbers of the input m from 2n-bit to n-bit in the input stage.

On the other hand, the Montgomery transform device 10 regarding thefirst embodiment can obtain the Montgomery transform result of n-bitfrom the input m of 2n-bit while omitting the division in the inputstage, as stated above.

SECOND EMBODIMENT

FIG. 9 is the schematic diagram showing the configuration of thearithmetic device regarding the second embodiment of the invention.

The second embodiment related to an arithmetic device 13 havingMontgomery transform units 101 and 102 with the same configuration thatof the Montgomery transform device 10 shown in FIG. 2 instead of the modarithmetic units 1 and 2 and the Montgomery transform units 3 and 4shown in FIG. 1.

Where, Montgomery transform units 101 and 102 respectively have theMontgomery reduction units 11 and 12.

The rest of the second embodiment, which are Montgomery power units 5and 6, the Montgomery inverse transform units 7 and 8, and the CRTarithmetic unit 9, are as described above. However, respectivearithmetic in the Montgomery reduction, the Montgomery power, theMontgomery inverse transform, the CRT arithmetic, etc., will be simplyexplained by referring the case of the modulus p. It is obvious that thecase of the modulus q can be calculated similarly. The details ofrespective arithmetic are described in “Handbook of appliedcryptography”.

The Montgomery reduction unit 11, as shown in FIG. 10, does not usedivision and use the Montgomery reduction to calculate an outputx_(p)=m×R⁻¹ mod p of n-bit from the input m of 2n-bit. An efficientcalculation method for the Montgomery reduction using the multiplelength arithmetic is described in detail in “Handbook of appliedcryptography” mentioned above.

As shown in FIG. 11, the Montgomery power unit 5 has a Montgomery powerfunction 5 f to calculate an output m^(d)×R mod p of n-bit to the inputm of n-bit. Where, the Montgomery power unit 5, as shown in FIG. 12,performs the d_(p)-th power [however, d_(p)=d mod (p−1)] against theMontgomery multiplication result m_(p)′ from the Montgomerymultiplication unit 12 to obtain a power reminder s_(p)′(=m_(p)′ˆd_(p)×R_(p) mod p), based on the power exponent d, themultiplier R_(p) and the modulus p.

As shown in FIG. 13, the Montgomery inverse transform unit 7 has aMontgomery inverse transform function 7 f to transform the input m ofn-bit into an output m×R⁻¹ of n-bit. Where, as shown in FIG. 14, theMontgomery inverse transform unit 7 executes the Montgomery inversetransform to the power reminder s_(p)′ from the Montgomery power unit 5on the basis of the power exponent d, the multiplier R_(p) and themodulus p and obtains a Montgomery inverse result s_(p) (=m_(d) mod p)of n-bit.

Processes of the Montgomery inverse transform is mentioned in detailhere. $\begin{matrix}{S_{p} = {S_{p}^{\prime}R_{p}^{- 1}{mod}\quad p}} \\{= {\left( {{m_{p}^{\prime}\bigwedge d_{p}}R_{p}} \right)R_{p}^{- 1}{mod}\quad p}} \\{= {{m_{p}^{\prime}\bigwedge d_{p}}R_{p}^{- 1}{mod}{\quad\quad}p}} \\{= {{m\bigwedge d_{p}}{R_{p}\bigwedge d_{p}}{R_{p}\bigwedge{- \left( {{dp} - 1} \right)}}R_{p}^{- 1}{mod}\quad p}} \\{= {{m\bigwedge d_{p}}{mod}\quad p}} \\{= {m^{d}{mod}\quad\left( {p - 1} \right)\quad{mod}\quad p}} \\{= {m^{{k{({p - 1})}} + d}\quad{mod}\quad p}} \\{= {\left( m^{p - 1} \right)^{k}m^{d}{mod}\quad p}} \\{= {m^{d}{mod}\quad p}}\end{matrix}$

Where, k is an arbitrarily integer, and an equation m^(p−1)≡1 mod p isthe Fermat's little theorem.

As shown in FIG. 15, the Montgomery inverse function 7 f can be realizedby a Montgomery multiplication function to multiply the input m by one.

The CRT arithmetic unit 9, as shown in FIG. 16, has a CRT arithmeticfunction 9 f to calculate a mod pq of 2n-bit on the basis of two n-bitinputs of (s mod p) and (s mod q), based on the CRT. Here, as shown inFIG. 17, the CRT arithmetic unit 9 solves the simultaneous equations ofthe Montgomery inverse transform results s_(p) and s_(q) output from thetwo Montgomery inverse transform units 7 and 8 on the basis of themoduli p and q and the CRT, respectively, and outputs the obtainedsolution (m^(d) mod pq) of n-bit as a power reminder s.

Next, operations of the arithmetic device constituted as stated abovewill be explained.

The arithmetic device 13 performs the Montgomery reduction to each inputm of 2n-bit by means of each Montgomery reduction unit 11, respectively.At this time, one Montgomery reduction unit 11 executes the Montgomeryreduction to the input m of 2n-bit in accordance with the multiplier Rnot less than n-bit and the modulus p of n-bit and outputs the obtainedMontgomery reduction result x_(p) (=mR⁻¹ mod p) on n-bit to theMontgomery multiplication units 12. In similarity, the other Montgomeryreduction unit 11 executes the Montgomery reduction to the input m of2n-bit in accordance with the multiplier R not less than n-bit and themodulus q of n-bit and outputs the obtained Montgomery reduction resultx_(q) (=mR⁻¹ mod q) on n-bit to the Montgomery multiplication units 12.

Then, one Montgomery multiplication unit 12 performs the Montgomerymultiplication of the Montgomery reduction result X_(p) by themultiplier (R_(p) ³ mod p) and outputs the obtained Montgomerymultiplication result m_(p)′ (=m×R_(p) mod p) to the Montgomerymultiplication unit 5. In similarity, the other Montgomerymultiplication unit 12 performs the Montgomery multiplication of theMontgomery reduction result X_(q) by the multiplier (R_(q) ³ mod q) andoutputs the obtained Montgomery multiplication result m_(q)′ (=m×R_(q)mod q) to the Montgomery power unit 6.

Each Montgomery multiplication results m_(p)′ and m_(q)′ respectivelycoincide with the outputs from the conventional Montgomery transformunits 3 and 4 shown in FIG. 1. In the calculation so far, the divisionis not used.

Hereinafter, as shown in FIG. 1, the arithmetic device calculates thepower reminder s=m^(d) mod pq on the basis of the CRT through theMontgomery power and the Montgomery inverse transform.

As mentioned above, according to the second embodiment, since theconfiguration for obtaining the Montgomery transform result of n-bitfrom the input m of 2b-bit by using the Montgomery reduction and theMontgomery multiplication instead of the conventional mod arithmetic andthe Montgomery transform is provided in the input stage of the powerreminder calculation, the arithmetic device 13 can execute the powerreminder calculation with the CRT and the Montgomery arithmetic arecombined therein while omitting the division in the input stage.

In supplement, the arithmetic device 13 in the second embodiment canrealize efficient mounting by combining the CRT and the Montgomeryarithmetic even if the division is not present in the input state,thereby, the circuit size can be miniaturized and the arithmetic speedcan be accelerated. The division is arithmetic in which running time andprocessing is varied due to an input, so that the division has a faultto be weak against side channel attack. However, the arithmetic device13 regarding the second embodiment does not use the division,consequently, it can improve security against the side channel attack.

THIRD EMBODIMENT

FIG. 18 is the schematic diagram showing the IC card regarding the thirdembodiment of the invention. This IC card 20 has an IC chip 30.

In the IC chip 30, a ROM 31, an NVRAM 32, a RAM 33, I/O 34, a CPU 35 andan encryption accelerator 36 are connected one another thorough a bus37. A hardware structure other than the encryption accelerator 36 is thesame as that of a usual computer. The arithmetic device 13 is mounted asthe encryption device (accelerator) 36, however, it is not limited tothis structure and acceptable to be mounted as a combination of theencryption accelerator 36 and one function of the CPU 35.

The encryption accelerator (coprocessor) 36 is an arithmetic device tomake encryption processing efficient and, as shown as FIG. 19, has aproduct-sum arithmetic circuit 38 and a control circuit 39.

The product-sum arithmetic circuit 38 is composed of a plurality ofarithmetic unit such as a register 38 a, an ALU (arithmetic and logicalunit) 38 b, a multiplication device 38 c and an adder 38 d, and has afunction to calculate the power reminder (m^(d) mod pq) of n-bit fromthe input m of 2n-bit input from the bus 37 in accordance with controlfrom the control circuit 39.

The control circuit 39 controls the product-sum arithmetic circuit 38 soas to execute a series of power reminder calculations composed of theMontgomery reduction, the Montgomery multiplication, the Montgomerypower, the Montgomery inverse transform and the CRT arithmetic stated inthe second embodiment. The series of the power reminder calculations canbe realized by the combination of arithmetic by means of themultiplication device 38 c, the adder 38 d, etc.

Next, operations of the IC card configured as described above areexplained below.

In the IC card 20, it is assumed that the power reminder (m^(d) mod pq)is required to be calculated for arithmetic object data m duringprocessing of some kind in the CPU 35. The processing of some kindmeans, for example, encryption processing, decryption processing,signature generation processing, signature verification processing orthe like.

The CPU 35 inputs the arithmetic object data m of 2n-bit into theencryption accelerator 36. In the encryption accelerator 36, theproduct-sum arithmetic circuit 38 executes a series of power remindercalculations to the input m of 2n-bit in accordance with the controlfrom the control circuit 39.

At this moment, the control circuit 39 controls an input stage of thepower reminder calculation using the CRT so as to obtain the Montgomerytransform result of n-bit from the input m of 2n-bit by using theMontgomery reduction and the Montgomery multiplication.

Therefore, the encryption accelerator 36 can execute the power remindercalculation with the combination of the CRT and the Montgomeryarithmetic while omitting the division in the input stage. Theencryption accelerator 36 writes the obtained power reminder (m^(d) modpq) power reminder of n-bit into the RAM 32 through the bus 37.

The CPU 35 continues processing by using the power reminder in the RAM32.

As mentioned above, according to the third embodiment, since the IC chip30 is provided with the encryption accelerator 36 to execute the powerreminder calculation described in relation to the second embodiment, thethird embodiment can achieve the IC card 20 bring about the effect ofthe second embodiment.

The third embodiment needs not to be limited to the control from thecontrol circuit 39, and it is sufficient for the third embodiment to beconfigured to make the CPU 35 control the power reminder calculation tobe done by the encryption accelerator 36. Even such a modification hasmade, the third embodiment can realize the IC card for obtaining theeffect of the second embodiment as stated above.

FOURTH-SIXTH EMBODIMENTS

The fourth-sixth embodiments will be explained as follows. Thefourth-sixth embodiments are examples of the third embodiment, in whichthe processing under the processing of the CPU 35 are defined as RSAsignature processing, RSA decryption processing or DSA signatureprocessing. Sequential explanation about them will be given below.

FOURTH EMBODIMENT

The fourth embodiment relates to the IC card 20 having the encryptionaccelerator 36 and executing the RSA signature processing to documentdata D of a signature object by using a private key d of the RSAsignature system.

The IC card 20 has the ROM 31 with the program to make the CPU 35execute the following functions 35 f 1-35 fa stored thereon.

(35 f 1): A function of calculating a one-way hash function of documentdata D to obtain a hash value h(D) when executing the RSA encryptionprocessing.

(35 f 2): A function of inputting the hash value h(D) as the input minto the encryption accelerator 36 and inputting the private key d asthe power exponent d into the encryption accelerator 36.

(35 f 3): A function of inputting the power exponent d, and then,storing the power reminder s output from the encryption accelerator 36as the RSA signature s [=h(D)^(d) mod pq] into the NVRAM 32.

(35 f 4): A function of outputting the RSA signature s to an externalcomputer, etc., through the I/O 34.

According to such a foregoing configuration, the CPU 35 makes theencryption accelerator 36 execute the power reminder calculation for thehash value h(D), thereby, the fourth embodiment can achieve the IC card20 to bring about the effect of the second embodiment in the RSAsignature processing.

FIFTH EMBODIMENT

The fifth embodiment relates to the IC card 20 having the foregoingencryption accelerator 36 and executing the RSA decryption processing byusing a private key d being a key pair of a public key e to an encryptedtext c (=D^(e) mod pq) in which plaintext data D is encrypted by usingthe public key e of the RSA decryption processing.

The IC card 20 has the ROM 31 with the program to make the CPU 35execute the following functions 35 f 11-35 f 14 stored thereon.

(35 f 11): A function of inputting the encrypted text c as the input minto the encryption accelerator 36 and inputting the private key d as apower exponent d into the encryption accelerator 36 when executing theRSA decryption processing.

(35 f 12): A function of storing the power reminder s output from theencryption accelerator 36 as the RSA decryption result s (=c^(d) mod pq)into the NVRAM 32 after inputting the input m and the private key d.

(35 f 13): A function of outputting the RSA decryption result s to theexternal computer, etc., through the I/O 34.

According to such the configuration, when the RSA decryption proceedingis performed, the CPU 35 makes the encryption accelerator 36 execute thepower reminder calculation for the encrypted text c, so that the fifthembodiment can achieve the IC card 20 to bring about the effect of thesecond embodiment in the RSA decryption processing.

SIXTH EMBODIMENT

The sixth embodiment relates to the IC card having the foregoingencryption accelerator 36 and executing the DSA signature processing tothe document data D to be signed on the basis of a public key g and aprivate key x of the DSA signature system.

The IC card 20 has the ROM 31 with the program to make the CPU 35execute the following functions 35 f 21-35 f 28 stored thereon.

(35 f 21): A function of selecting at random a random number k from amultiplication group z_(q)* of the modulus q when executing the DSAsignature processing.

(35 f 22): A function of inputting the public key g as the input m intothe encryption accelerator 36 and inputting the random number k as thepower exponent d into the encryption accelerator 36.

(35 f 23): A function of controlling the encryption accelerator 36 afterinputting the public key g and the random number k function so as tofunction as one Montgomery transform unit 10 ₁, the Montgomery powerunit 5 and the Montgomery inverse transform unit 7.

(35 f 24): A function of generating first part data r [=(g^(k) mod p)mod q] of the DAS signature on the basis of the power reminder (g^(k)mod p) output from the encryption accelerator 36 and the modulus qstored in advance.

(35 f 25): A function of calculating the one-way hash function of thedocument data D and obtaining the hash value h(D).

(35 f 26): A function of executing the DSA signature processing on thebasis of the random number k, the hash value h(D), the private key x,the first part data r and the modulus q and generating a second partdata s [=K⁻¹ (h (D)+xr) mod q].

(35 f 27): A function of storing the first and the second partial data rand s as a DSA signature (r, s) into the NVRAM 32.

(35 f 28): A function of outputting the DSA signature (r, s) to theexternal computer, etc., through the I/O 34.

According to such the foregoing configuration, at the time of the DSAsignature processing, the CPU 35 makes the encryption accelerator 36execute the power reminder calculation for the encrypted text c,thereby, the sixth embodiment can achieve the IC card 20 to bring aboutthe effect of the second embodiment in the DSA signature processing.

SEVENTH AND EIGHTH EMBODIMENTS

The seventh and the eighth embodiments of the invention will beexplained by referring FIGS. 20 and 21.

The seventh and eighth embodiments are respectively specific examplesand modified examples of the third embodiment, the processing underexecution of the CPU 35 are respectively defined as the RSA encryptionprocessing or the RSA decryption processing. However, instead of the ICcard 20, an encryption device 20E or a decryption device 20Drespectively having IC chips 30 similar to the IC card 20 are achievedas the seventh and eighth embodiments. They are explained as follows.

SEVENTH EMBODIMENT

As shown in FIG. 20, the seventh embodiment related to the encryptiondevice 20E having the foregoing encryption accelerator 36 and executingthe RSA encryption processing to the plaintext data D to be encrypted,based on the public key e in the RSA encryption system.

Where, the encryption device 20E has the ROM 31 with the program to makethe CPU 35 execute the following functions 35 f 31-35 f 33 storedtherein.

(35 f 31): A function of inputting the plaintext data D as the input minto the encryption accelerator 36 and inputting the public key e as thepower exponent d into the encryption accelerator 36, when executing theRSA encryption processing.

(35 f 32): A function of storing the power reminder s output from theencryption accelerator 36 as the RSA encrypted text c (=D^(e) mod pq),after inputting the input m and the power exponent d.

(35 f 33): A function of outputting the RSA encrypted text c to theexternal computer, etc., through the I/O 34.

According to such the configuration described above, at the time of theRSA encryption processing, the CPU 35 makes the encryption accelerator36 execute the power reminder calculation for the plaintext data D, sothat the seventh embodiment can achieve an encryption device to bringabout the effect of the second embodiment.

EIGHTH EMBODIMENT

As shown in FIG. 21, the eight embodiment relates to the decryptiondevice 20D having the foregoing encryption accelerator 36 and executingthe RSA decryption processing to the encrypted text c (=D^(e) mod pq) inwhich the plaintext data D is encrypted by using the public key e of theRSA encryption system by using the private key d being the key pair ofthe public key e.

Where, the decryption device 20 D has the ROM 31 with the program tomake the CPU 35 execute the following functions 35 f 41-35 f 43 storedtherein.

(35 f 41): A function of inputting the encrypted text c as the input minto the encryption accelerator 36 and inputting the private key as thepower exponent d into the encryption accelerator 36, when executing theRSA decryption processing.

(35 f 42): A function of storing the power reminder s output from theencryption accelerator 36 as the RSA decryption result s (=c^(d) mod pq)into the NVRAM 32, after inputting the input m and the power exponent d.

(35 f 43): A function of outputting the RSA decryption result s to theexternal computer, etc., through the I/O 34.

According to such the configuration mentioned above, since the CPU 35makes the encryption accelerator 36 the power reminder calculation forthe encrypted text c, the eighth embodiment can realize the decryptiondevice to bring about the effect of the second embodiment in the RSAdecryption processing.

Note that the techniques described in the above-described respectiveembodiments are stored as programs which can be executed by computers inrecording media such as magnetic disks (floppy (registered trademark)disks, hard disks, and the like), optical disks (CD-ROM/DVD and thelike), optical magnetic disks (MO), semiconductor memories, and thelike, and can be distributed.

Further, as the recording media, recording media which can storeprograms therein and out which computers can read may have any form ofthe storing system.

Further, middle ware (MW) or the like such as operating system (OS),database management software, network software, or the like, which isworking on a computer on the basis of an instruction of the programinstalled in the computer from the storage medium may execute some ofthe respective processings for realizing the present embodiment.

Moreover, the recording media in the present invention are not limitedto media independent of the computer, and recording media in which aprogram transmitted by LAN, Internet, or the like is downloaded, andstored or temporarily stored are included therein.

Further, the storage medium is not limited to one, and a case where theprocessings in the present embodiment are executed from a plurality ofmedia is included in the storage medium in the present invention, andthe medium configuration may be any configuration.

Note that, the computer in the present invention is to execute therespective processings in the present embodiment on the basis of theprogram stored in the storage medium, and may be any configuration of anapparatus formed from one such as a personal computer, a system in whicha plurality of apparatuses are connected through a network, and thelike.

Note that the computer in the present invention is not limited to apersonal computer, and includes an arithmetic processing device, amicrocomputer, and the like included information processing equipment,and is general term for equipment/apparatus which can realize thefunctions of the present invention by the program.

Note that the present invention is not limited to the above-describedembodiments as are, and structural requirements can be modified andmaterialized within a range which does not deviate from the gist of thepresent invention at the practical phase. Further, various inventionscan be formed due to the plurality of structural requirements which havebeen disclosed in the above-described embodiments being appropriatelycombined. For example, several structural requirements may be eliminatedfrom all of the structural requirements shown in the embodiments.Moreover, structural requirements over different embodiments may beappropriately combined.

1. A Montgomery transform device for obtaining a Montgomery transformresult m′ (=mR mod p) of n-bit from an input m of 2n-bit on the basis ofa multiplier R not less than n-bit and a modulus p of n-bit, comprising:a Montgomery reduction device configured to execute Montgomery reductioncomposed of multiplication, addition and a bit shift to the input m of2n-bit on the basis of the modulus p and the multiplier R and obtain aMontgomery reduction result (mR⁻¹ mod p) of n-bit; and a Montgomerymultiplication device configured to execute Montgomery multiplication ofthe Montgomery reduction result (mR⁻¹ mod p) by the cube of themultiplier R (R³ mod p) on the basis of the multiplier R and the modulusp and output the obtained Montgomery multiplication result (mR mod p) ofn-bit as the m′ (=mR mod p).
 2. An arithmetic device for calculating thed-th power under a modulus pq to an input m of 2n-bit on the basis ofmultipliers R_(p) and R_(q) not less than n-bit, moduli p and q of n-bitand a power exponent d of n-bit to obtain a power reminder s (=m^(d) modpq) of n-bit, comprising: a first Montgomery reduction device configuredto execute Montgomery reduction composed of multiplication, addition anda bit shift to the input m of 2n-bit on the basis of the multiplierR_(p) and the modulus p and obtain a first Montgomery reduction result(mR_(p) ⁻¹ mod p) of n-bit; and a first Montgomery multiplication deviceconfigured to execute Montgomery multiplication of the first Montgomeryreduction result by the cube of the multiplier R_(p) (R_(p) ³ mod p) onthe basis of the multiplier R_(p) and the modulus p and obtain a firstMontgomery multiplication result m_(p)′ (=mR_(p) mod p) of n-bit; afirst Montgomery power device configured to perform the d_(p)-th powerof the first Montgomery multiplication result m_(p)′ [however, d_(p)=dmod (p−1)] on the basis of the power exponent d, the multiplier R_(p)and the modulus p and obtain a first power reminder s_(p)′(=m_(p)′ˆd_(p)×R_(p) mod p) of n-bit; a first Montgomery inversetransform device configured to execute Montgomery inverse transform tothe first power reminder s_(p)′ on the basis of the multiplier R_(p) andthe modulus p and obtain a first Montgomery inverse transform results_(p) (=m^(d) mod p) of n-bit; a second Montgomery reduction deviceconfigured to execute Montgomery reduction composed of multiplication,addition and a bit shift to the input m of 2n-bit on the basis of themultiplier R_(q) and the modulus q and obtain a second Montgomeryreduction result (mR_(q) ⁻¹ mod q) of n-bit; a second Montgomerymultiplication device configured to execute Montgomery multiplication ofthe second Montgomery reduction result by the cube of the multiplierR_(q) (R_(q) ³ mod q) on the basis of the multiplier R_(q) and themodulus q and obtain a second Montgomery multiplication result m_(q)′(=mR_(q) mod q) of n-bit; a second Montgomery power device configured toperform the d_(q)-th power of the second Montgomery multiplicationresult m_(q)′ of n-bit [however, d_(q)=d mod (q−1)] on the basis of thepower exponent d, the multiplier R_(q) and the modulus q and obtain asecond power reminder s_(q)′ (=m_(q)′ˆd_(q)×R_(q) mod q) of n-bit; asecond Montgomery inverse transform device configured to executeMontgomery inverse transform to the second power reminder s_(q)′ on thebasis of the multiplier R_(q) and the modulus q and obtain a secondMontgomery inverse transform result s_(q) (=m^(d) mod q) of n-bit; and asimultaneous equations solution device configured to solve simultaneousequations of the first Montgomery inverse transform result s_(p) and thesecond Montgomery inverse transform result s_(q) on the basis of themoduli p, q and the Chinese remainder theorem (CRT) and output theobtained solution (m^(d) mod pq) of n-bit as the power reminder s.
 3. AnIC card having the arithmetic device according to the claim 2 andexecuting RSA signature processing to text data D to be signed by usinga private key of an RSA signature system, the IC card comprising: a Hashcalculation device configured to calculate a one-way hash function ofthe text data D and obtain a hash value h(D); a first input deviceconfigured to input the hash value h(D) as the input m to the arithmeticdevice; a second input device configured to input the private key d as apower exponent d to the arithmetic device; and a signature output deviceconfigured to output a power reminder s output from the arithmeticdevice, as an RSA signature s [=h(D)^(d) mod pq], after inputting fromthe first and the second input devices.
 4. An IC card having thearithmetic device according to claim 2 and executing RSA decryptionprocessing to encrypted text c (=D^(e) mod pq), in which plaintext dataD is encrypted by using a public key e of an RSA encryption system, byusing a private key d being a pair key of the public key e, the IC cardcomprising: a first input device configured to input the encrypted textc as the input m to the arithmetic device when executing the RSAdecryption processing; a second input device configured to input theprivate key d as a power exponent d to the arithmetic device; and adecryption result output device configured to output a power reminder soutput from the arithmetic device, as an RSA decryption result s (=c^(d)mod pq), after inputting by the first and the second input devices. 5.An IC card having the arithmetic device according to claim 2 andexecuting DSA signature processing to text data D to be signed on thebasis of a public key g and a private key x of a DSA signature system,the IC card comprising; a random selecting device configured to select arandom number k from a multiplication group z_(q)* of a modulus q whenexecuting the RSA decryption processing; a first input device configuredto input the public key g as an input m to the first Montgomeryreduction device; a second input device configured to input the randomnumber k as a power exponent d to the first Montgomery reduction device;a first part data generation device configured to generate first partdata r [=(g^(k) mod p) mod q] of a DSA signature on the basis of a powerreminder (g^(k) mod p) output from the first Montgomery inversetransform device and a modulus q stored in advance, after inputting bythe first and the second input devices: a hash calculation deviceconfigured to calculate a one-way hash function of the text data D andobtain a hash value h(D); a signature execution device configured toexecute the DSA signature processing on the basis of the random numberk, the hash value h(D), the private key x, the first part data r and themodulus q and generate second part data s {=k⁻¹ [h(D)+xr] mod q} of theDSA signature; and a signature output device configured to output thefirst and the second part data r and s as a DSA signature (r, s).
 6. Anencryption device having the arithmetic device according to claim 2 toexecute RSA encryption processing to plaintext data D to be encrypted onthe basis of a public key e of an RSA encryption system, the encryptiondevice comprising: a first input device configured to input theplaintext data D as an input m to the arithmetic device when executingthe RSA decryption processing; a second input device configured to inputthe public key e as a power exponent d to the arithmetic device; and anencrypted text output device configured to output a power reminder s asRSA encrypted text c (=D^(e) mod pq) output from the arithmetic deviceafter inputting by the first and the second input devices.
 7. Adecryption device having the arithmetic device according to claim 2 andexecuting RSA decryption processing to encrypted text c (=D^(e) mod pq),in which plaintext data D is encrypted by using a public key e of an RSAencryption system, by using a private key being a key pair of the publickey e, the decryption device comprising: a first input device configuredto input the encrypted text data c as an input m to the arithmeticdevice when executing the RSA decryption processing; a second inputdevice configured to input the public key e as a power exponent d to thearithmetic device; and a decrypted result output device configured tooutput a power reminder s as an RSA decrypted result s (=c^(d) mod pq)output from the arithmetic device after inputting by the first and thesecond input devices.
 8. A program stored in a computer readablerecording medium for use in a computer of a Montgomery transform deviceto obtain a Montgomery transform result m′ (=mR mod p) of n-bit frominput m of 2n-bit on the basis of a multiplier R not less than n-bit anda modulus p of n-bit stored in a memory, the program comprising: firstprogram code for making the computer sequentially execute Montgomeryreduction processing to execute the Montgomery reduction composed ofmultiplication, addition and a bit shift to an input m of 2n-bit andobtain a Montgomery reduction result (mR⁻¹ mod p) of n-bit on the basisof the modulus p and the multiplier R in the memory; and second programcode for making the computer sequentially execute Montgomerymultiplication processing to execute the Montgomery multiplication ofthe Montgomery reduction result by the cube of the multiplier R (R³ modp) on the basis of the multiplier R and the modulus p in the memory andoutput the obtained Montgomery multiplication result (mR mod p) of n-bitas the Montgomery transform result m′.
 9. A program stored in a computerreadable recording medium for use in a computer of an arithmetic devicefor calculating the d-th power under a modulus pq to an input m of2n-bit on the basis of multipliers R_(p) and R_(q) not less than n-bit,moduli p and q of n-bit and an input power exponent d of n-bit to obtaina power reminder s (=m^(d) mod pq) of n-bit stored in a memory, theprogram comprising: first program code for making the computersequentially execute first Montgomery reduction processing to executethe first Montgomery reduction composed of multiplication, addition anda bit shift to the input m of 2n-bit on the basis of the multiplier Rand the modulus p in the memory and obtain a first Montgomery reductionresult (mR_(p) ⁻¹ mod p) of n-bit; second program code for making thecomputer sequentially execute first Montgomery multiplication processingto execute the first Montgomery multiplication of the first Montgomeryreduction result by the cube of the multiplier R (R³ mod p) on the basisof the multiplier R and the modulus p in the memory and obtain a firstMontgomery multiplication result m_(p)′ (mR_(p) mod p); third programcode for making the computer sequentially execute first Montgomery powerprocessing to perform the d_(p)-th power of the first Montgomerymultiplication result m_(p)′ [wherein, d_(p)=d mod (p−1)] on the basisof the power exponent d, the multiplier R_(p) and the modulus p andobtain a first power reminder s_(p)′ (=m_(p)′ˆd_(p)×R_(p) mod p) ofn-bit; fourth program code for making the computer sequentially executefirst Montgomery inverse transform processing to execute the firstMontgomery inverse transform to the first power reminder s_(p)′ on thebasis of the multiplier R and the modulus p in the memory and obtain afirst Montgomery inverse transform result s_(p) (=m^(d) mod p) of n-biton the basis of the multiplier R_(p) and the modulus p in the memory;fifth program code for making the computer execute second Montgomeryreduction processing to execute the second Montgomery reduction composedof multiplication, addition and a bit shift to the input m on the basisof the multiplier R_(q) and the modulus q in the memory and obtain asecond Montgomery reduction result (mR_(q) ⁻¹ mod q) of n-bit; sixthprogram code for making the computer sequentially execute secondMontgomery multiplication processing to execute the second Montgomerymultiplication of the second Montgomery reduction result by the cube ofthe multiplier R (R_(q) ³ mod q) on the basis of the multiplier R_(q)and the modulus q in the memory and obtain a second Montgomerymultiplication result m_(q)′ (=mR_(q) mod q) of n-bit; seventh programcode for making the computer sequentially execute second Montgomerypower processing to perform the d_(q)-th power of the second Montgomerymultiplication result m_(q)′ [however, d_(q)=d mod (q−1)] on the basisof the power exponent d, the multiplier R_(q) and the modulus q andobtain a second power reminder s_(q)′ (=m_(q)′ˆd_(q)×R_(q) mod q) ofn-bit; eighth program for making the computer sequentially executesecond Montgomery inverse transform processing to execute the secondMontgomery inverse transform to the second power reminder s_(q)′ on thebasis of the multiplier R_(q) and the modulus q and obtain a secondMontgomery inverse transform result s_(q) (=m^(d) mod q) of n-bit; andninth program for making the computer sequentially execute powerreminder output processing to solve simultaneous equations of the firstMontgomery inverse transform result s_(p) and the second Montgomeryinverse transform result s_(q) on the basis of the moduli p and q andthe Chinese remainder theorem (CRT) in the memory and output theobtained solution (m^(d) mod pq) of n-bit as the power reminder s.
 10. Aprogram stored in a computer readable recording medium for use in acomputer of an IC card which has an arithmetic device with the programaccording to claim 9 installed thereon and executes RSA signatureprocessing to text data D to be signed, by using a private key in an RSAsignature system, the program comprising: tenth program code for makingthe computer sequentially execute hash arithmetic processing tocalculate a one-way hash function of the text data D when executing theRSA signature processing; eleventh program code for making the computersequentially execute first input processing to input the hash value h(D)as the input m to the arithmetic device; twelfth program code for makingthe computer sequentially execute second input processing to input theprivate key d as a power exponent d to the arithmetic device; andthirteenth program code for making the computer sequentially executesignature output processing to output a power reminder s as an RSAsignature s [=h(D)^(d) mod pq] output from the arithmetic device afterthe first and the second input processing.
 11. A program stored in acomputer readable recording medium for use in a computer of an IC cardwhich has an arithmetic device with the program according to claim 9installed thereon and executes RSA decryption processing to encryptedtext c (=D^(e) mod pq), in which plaintext data D is encrypted by usinga public key e of an RSA system, by using a private key d being a keypair of the public key e, the program comprising: tenth program code formaking the computer sequentially execute first input processing to inputthe encrypted text c as the input m to the arithmetic device whenexecuting the RSA decryption processing; eleventh program code formaking the computer sequentially execute second input processing toinput the private key d as a power exponent d to the arithmetic device;and twelfth program code for making the computer sequentially executedecryption result output processing to output a power reminder outputfrom the arithmetic device, as an RSA decryption result s (=c^(d) modpq) after the first and the second input processing.
 12. A programstored in a computer readable recording medium for use in a computer ofan IC card which has an arithmetic device with the program according toclaim 9 installed thereon and executes DSA signature processing to textdata D to be signed on the basis of a public key g and a private key xof a DSA signature system, the program comprising: tenth program codefor making the computer sequentially execute random number selectionprocessing to select a random number k at random from a multiplicationgroup Z_(q)* of a modulus q when executing the DSA signature processing;eleventh program code for making the computer for sequentially executingfirst input processing to input the public key g as the input m to firstMontgomery reduction processing of the arithmetic device; twelfthprogram code for making the computer for sequentially execute secondinput processing to input the random number k as a power exponent d tofirst Montgomery power processing of the arithmetic device; thirteenthprogram code for making the computer sequentially execute first partdata generation processing to generate first part data r [=(g^(k) mod p)mod q] of a DSA signature on the basis of a power reminder (g^(k) mod p)output from first Montgomery inverse transform processing of thearithmetic device and a modulus q stored in advance after the first andthe second processing; fourteenth program code for making the computersequentially execute hash arithmetic processing to calculate a one-wayhash function of the text data D and obtain a hash value h(D); fifteenthprogram code for making the computer sequentially execute second partdata generation processing to execute DAS signature processing on thebasis of the random number k, the hash value h(D), the private key x,the first part data r and the modulus q and generate second part data s{k⁻¹ [h(D)+xr] mod q} of the DSA signature; and sixteenth program codefor making the computer sequentially execute signature output processingto output the first and the second part data r and s as a DSA signature(r, s).
 13. A program stored in a computer readable recording medium foruse in a computer of an encryption device which has an arithmetic devicewith the program according to claim 9 installed thereon and executes RSAencryption processing to text data D to be signed on the basis of apublic key e and a private key of an RSA encryption system, the programcomprising: tenth program code for making the computer sequentiallyexecute first input processing to input the plaintext data D as theinput m to the arithmetic device when executing the RSA encryptionprocessing; eleventh program code for making the computer sequentiallyexecute second input processing to input the public key e as a powerexponent d to the arithmetic device; and twelfth program code for makingthe computer sequentially execute encrypted text output processing tooutput a power reminder output from the arithmetic device, as RSAencrypted text c (=D^(e) mod pq) after the first and the second inputprocessing
 14. A program stored in a computer readable recording mediumfor use in a computer of a decryption device which has an arithmeticdevice with the program according to claim 9 installed thereon andexecutes RSA decryption processing to encrypted text c (=D^(e) mod pq),in which plaintext data D is encrypted by using a public key e in an RSAsystem, by using a private key d being a key pair of the public key e,the program comprising: tenth program code for making the computersequentially execute first input processing to input the encrypted textc as the input m to the arithmetic device when executing the RSAdecryption processing; eleventh program code for making the computersequentially execute second input processing to input the private key das a power exponent d to the arithmetic device; and twelfth program codefor making the computer sequentially execute decryption result outputprocessing to output a power reminder s output from the arithmeticdevice, as an RSA decryption result s (=c^(d) mod pq) after the firstand the second input processing.